Massive Russian hack has researchers scratching their heads

Don't worry, you're not the only one with more questions than answers about the 1.2 billion user credentials amassed by Russian hackers.

Some security researchers on Wednesday said it's still unclear just how serious the discovery is, and they faulted the company that uncovered the database, Hold Security, for not providing more details about what it discovered.

"The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify."

Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year. Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.

Hold Security didn't respond to email and telephone requests for comment Wednesday, though it may have been inundated with inquiries.

To recap, Hold Security said Tuesday it had obtained a massive database of stolen credentials amassed by a gang of Russian hackers. The database contains 1.2 billion unique "credential pairs" -- made up of a user ID (mostly email addresses) and an associated password. Looking at email addresses alone, there are "over half a billion," the company said, since some email addresses correspond to multiple passwords.

To assess how serious the discovery is, researchers want to know how old the credentials collected by the Russian gang are, where they came from, and how well-protected the passwords are by "hashing," which scrambles the passwords but can be vulnerable to brute force attack.

The age is important because the older they are, the more likely they are to be disused and less valuable, said Gary Davis, chief consumer security evangelist at McAfee.

Hold Security acknowledged in its announcement that "not all" the credentials are "valid or current," with some associated with fake email addresses, closed accounts or even passwords a decade old.

It's also unclear how many of the login and password credentials were culled online recently by the hacker group, and how many were acquired on the black market from previous hacks.

Hold Security said the hackers began by buying credentials from previously attacked accounts, and then did some hacking work of their own. But it's unclear how many of the 1.2 billion credentials came from previous hacking incidents, and which incidents those were.

"If you take Sony, LinkedIn, eBay and Adobe," said Wisniewski, naming four of the biggest recent password breaches, "that's already 500 million accounts."

Experts said the passwords were likely hashed, a process used by most websites these days. But there are several methods of doing that, and the older "MD5" method, for example, is more vulnerable than a more modern method called "salting," said Wisniewski.

For now, researchers are left guessing and reading between the lines because Hold Security has not released more information.

"It will be interesting to see if public opinion pressures them," said Wisniewski.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.